Overview
Google Calendar embedding API allows injection of arbitrary content.
Background
Google Calendar offers an embedding API, allowing calendars to be embedded in web pages. This API is accessible at the following URL:
https://www.google.com/calendar/embed?src=<url>
Details
In case of an invalid URL, it mirrors back the text of the URL. For example, the following URL:
https://www.google.com/calendar/embed?src=<url>
would show the following message:
Invalid calendar id: <url>
While we have not been able to show script execution, we believe that this can still be used as a vector of attack, especially since this injects content into a page that is SSL secured with a Google certificate. Interestingly, a similar content injection attack was considered to be severe enough by Microsoft to be fixed (as per our earlier blog post).
We would like to present the following attack scenarios:
Scenario #1 — Phishing attack
An attacker can use this to send email to Google Calendar users with the following URL:
https://www.google.com/calendar/embed?src=-We%20are%20having%20a%20problem%20with%20your%20account.%20Please%20call%201-800-BAD-GUYS%20x123%20and%20give%20them%20your%20password
Resulting in the following message:
Invalid calendar id: -We are having a problem with your account. Please call 1–800-BAD-GUYS x123 and give them your password
A sophisticated attack can issue a unique extension for each spammed address, bypassing the requirement for users to provide their email address over the phone. It would also be possible to automate such attack with voice API providers like Twilio, further making users feel at ease, since most phone phishing attempts use humans.
Scenario #2 — Stock manipulation attack
An attacker can use the following URL to show a fake Google Calendar in attempt to manipulate the stock market:
https://www.google.com/calendar/embed?src=-BEGIN%3AVEVENT%0ASUMMARY%3A%20%0AUID%3A12345%0ADESCRIPTION%3BSergey%20Brin%2FElon%20Musk%20to%20announce%20%24GOOG%20acquisition%20of%20%24TSLA%0ALOCATION%3AMountainview%2C%20CA%0ADTSTART%3BTZID%3D%2FUS%2FEastern%3A20151109T100000%0ADTEND%3BTZID%3D%2FUS%2FEastern%3A20151109T113000%0AURL%3Ahttp%3A%2F%2Fintranet.google.com%2Fcalendar%2Fsergerybrin%2Feventid%3D12345%0AEND%3AVEVENT
This would result in the following message:
Invalid calendar id: -BEGIN:VEVENT SUMMARY: UID:12345 DESCRIPTION;Sergey Brin/Elon Musk to announce $GOOG acquisition of $TSLA LOCATION:Mountainview, CA DTSTART;TZID=/US/Eastern:20151109T100000 DTEND;TZID=/US/Eastern:20151109T113000 URL:http://intranet.google.com/calendar/sergerybrin/eventid=12345 END:VEVENT
Seemingly this would indicate a fake calendar event announcing the acquisition of Tesla Motors by Google. HOWEVER, given that the embed API can be used to embed any calendar, it would be trivial to create a real Google calendar with fake info and embed it.
Screenshot
(Please note the SSL icon)
Vendor Response
Vendor response is as follows:
There is no XSS demonstrated here, just content injection, which has legitimate use and is not a technical security bug for the purposes of our reporting program (phishing generally isn’t a “technical” enough attack scenario). All inputs appear to be properly sanitized, so if you want to demonstrate an actual XSS, you’d need to show proof of script execution
References
Google Security CID: 6–1050000008145
Google Calendar Embed docs: https://support.google.com/calendar/answer/41207?hl=en
Timeline
2015–08–07: Vendor notified
2015–08–07: Vendor response
2015–10–26: Public disclosure
Version Information
Version 1
Last updated on 2015–09–21